[strongSwan] Setting the virtual ip gateway?
Noel Kuntze
noel at familie-kuntze.de
Thu Sep 18 19:27:43 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Cindy,
You don't need to set a virtual gateway. Well, it's actually kind of senseless, because
in IPsec, you define a list of networks that are supposed to be tunneled.
The VPN server gets the client's traffic and routes it based on the routing table it has.
Hence, what you call "virtual gateway" is _always_ the VPN server.
You cannot make the VPN clients route it anywhere else.
About the virtual IP ranges:
The "ipsec pool" [1] tool can do that. You need to use an sql database for it though.
You could use an sqlite file for that.
[1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 17.09.2014 um 23:31 schrieb Cindy Moore:
> I have two servers on our public network, let's call them nat and vpn.
> Vpn, naturally, has the strongswan vpn set up on it, etc. (if it
> matters, ubuntu 14.04 is installed on everything).
> Let's say the public network I have is 4.3.2.0/24 and nat is 4.3.2.1
> and vpn is 4.3.2.2
>
> So ordinarily, for a server that I put on the private network (let's
> say it's 1.2.3.0/24, and I give this server 1.2.3.4), I set its
> gateway to 1.2.3.250, and nat's /etc/network/interfaces and iptables
> are configured to treat 1.2.3.250 as the gateway for the 1.2.3.0/24
> subnet.
>
> So now I give vpn a handful of addresses from the private network to
> use (say 1.2.3.10-50).
> Therefore vpn hands out a virtual ip (say 1.2.3.15) on a successful
> connection. How does vpn also tell the new connection that its
> virtual gateway is now 1.2.3.250?
>
> I've gone over the ipsec.conf file and I'm not seeing where I can set
> this. Does the vpn server need to set up some kind of connection to
> 1.2.3.250 itself?
>
> I haven't set this up:
> iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -o eth0 -m policy --dir
> out --pol ipsec -j ACCEPT
> iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -o eth0 -j MASQUERADE
>
> (from https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> )
> because server nat already has these in its iptables (in slightly
> different format).
>
> As an aside, is it at all possible to specify a set of available
> virtual ip addresses as a range rather than in CIDR format? I've
> basically been given 1.2.3.102 - 1.2.3.200 which works out to
> 1.2.3.102/31,1.2.3.104/29,1.2.3.112/28,1.2.3.128/26,1.2.3.192/29 in
> CIDR format (facepalm)
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUGxYPAAoJEDg5KY9j7GZYRFkP/R+DpmvkhNGrHMJmPFCtFFJQ
k+t+5ZBO2Ctqpk1gVkU9EvV7UBFw6rQY6fZ/ELfnufXmQF5/5MomkBg4kbVQZbSc
lhGkGlLJ2FO4L1Mq+MMBe6b+XDUBNwWgdDiyUBqeAFzn/jmkt7k1j3h8Rkp8FB8I
Tuk3hpaebjkme/9AMf1SYsSMsjtm5nChg7WF++ErmzDTjf7PKd7aWOJF+7KNO5U5
JbPtZqKkUxl6vPcDlXeJ56CD3viUd+ugd+qfgDnCdewT4JEzU+7hgWmaNe6Fa/0V
SDyiMbo5C7r5ErY0GjRQd5uLr/6ymrsbyR0yVL5aICto5Bkwp1D3QRuX2PfJClWn
rQEWTwCTwXZY6Ah9KCW4sjBKKxAIYVyy7ssfVRPDtY9RnZ4y/P1SnlVxxDOi7D4+
u83BOBJa77PqdmXHM8XsB0YLmgk6BTMHXo0GCpHzO8/lTnqZNozGWEImZVwM7giR
ZUHWDq9MA+1ex51DeO9erDz2iuZv47MQy9vlwusmmx+59Ft6lJgupWwDVrmEBz0B
bQUV/V40Ry8YIpRe9AZ56wdqnmndBK7N/xitYQ2cZufLSOtkvcJEw6iDNGbQofgK
Xg1XBBZbSYLvLOxNOYxpszhfv2xt6+9fFG82Zqjy7y/6NGOFpHQL5UCekVKaeYCL
DP7gVO1RokFy4gV15lX8
=oHFa
-----END PGP SIGNATURE-----
More information about the Users
mailing list